I’m so sorry to hear that, Yael.

Your work was outstanding and some of my favorite content. Consumer Reports is worse off without you on the team 😢

I'm reading a bunch of Coruna reports after dinner because I am a cool person who knows how to party. Of particular interest: not only does Coruna not work against iOS in lockdown mode, but if it even detects lockdown mode running, it bails. This is why I talk about lockdown mode so damn much.

Under India’s pressure, Facebook let propaganda and hate speech thrive Facebook has retreated from its professed ideals in India under pressure from Prime Minister Narendra Modi’s Bharatiya Janata Party.

Here we go. Free, no-reg versions of favorite stories from my four years at the Washington Post. First, three pieces from our Pulitzer-finalist series on how India's ruling party coerced U.S. tech giants into violating their own policies. www.washingtonpost.com/world/2023/0...

Disrupting malicious uses of AI Our latest threat report examines how malicious actors combine AI models with websites and social platforms—and what it means for detection and defense.

OpenAI disrupted new malicious use of ChatGPT... mostly for romance scams and info-ops

openai.com/index/disrup...

Five Eyes issue emergency directive on exploited Cisco SD-WAN zero-day The Five Eyes cybersecurity agencies warn that a critical Cisco SD-WAN vulnerability is under active exploitation and should be patched immediately.

Cisco said there are no workarounds for the vulnerability and urged customers to apply available patches immediately. The company also recommended reviewing system logs, validating controller integrity, and implementing additional hardening measures where possible.

www.csoonline.com/article/4137...

I’m so sorry to hear that, Joe. You’re one of the greats and it breaks my heart to see that you were laid off. Looking forward to seeing where you end up and where I need to subscribe next.

Merry Christmas Day! Have a MongoDB security incident. Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

patch ye MongoDB, there's an exploit for a vuln which has been in the product for over a decade that allows the remote, unauth read of any memory - which includes plaintext creds.

Somebody posted an exploit on Christmas Day, Merry Christmas!

doublepulsar.com/merry-christ...

This channel started to get recommended to me recently. I watched a bit of one video, realized it’s AI generated, and then just removed the channel from my recommendations. Pretty crummy quality, and whoever is making this is just pumping a ton of content out.

Remote Code Execution via Expression Injection ### Impact n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users dur...

HARDEN YO' N8N - [CVSS 10.0 RCE] Remote Code Execution via Expression Injection m.cje.io/4qhl2JX

cc: @networkchuck @danielmiessler @jhaddix

Yep, that also tracks with the data we have (owned by a large cyber insurer). Akira is by far the most active and impactful for our clients. Responsible for most incidents in Q3 for sure.

6 boxes of full sized candy bars, tiny stuffed Halloween themed toys, and hot wheels.

I may have gone overboard on the Halloween goodies this year

#halloween

This is one of my favorite sci-fi books and my fav Andy Weir book! I was cautiously excited when I saw they were making a movie

Yooooo idk what you’re talking about. That stuffed animal looks awesome!

I’ve been reading further and it seems like it was a third party provider who was like a business process outsourcer.

This is similar to the recent Air France and stellantis breaches but no idea if they’re related.

I think this is probably Salesforce compromised via Salesloft drift?

It aligns with the salesloft drift stuff we’ve seen. Most of the other parties were also using SalesForce for support ticketing and had salesforce auth tokens stolen from drift.

I encourage cybersecurity professionals to read this report to understand the type of capabilities that can be deployed against citizens at scale by autocratic regimes.

Organizations designing products that support privacy should understand these capabilities and design to protect users from them.

"The requirements for future development also mention adding the ability to check which users are connected to specific mobile base stations in order to support location triangulation through these stations and detect when a large number of people congregate in a particular area"

" It uses the in-path injection capability in TSG to effectively recruit unsuspecting users' computers to participate in the attack, thereby creating a botnet"

"however, a closer examination reveals that it is actually a platform for launching DDoS attacks against websites and other internet services deemed politically undesirable. This would appear to be Geedge's own implementation of China's Great Cannon, as described in a 2015 Citizen Lab report"

"TSG's in-path injection capability system allows for sophisticated targeting of this malicious code for the specific user, facilitating on-the-fly modifications across a variety of file formats [...] complemented by Cyber Narrator [...] hijack in order to infect specific individuals."

"TSG is also capable of modifying HTTP sessions in realtime through techniques such as spoofing redirect responses, altering headers, injecting scripts, replacing text, and overriding response bodies."

From the report:

"Cyber Narrator is a powerful tool capable of tracking network traffic at the individual customer level and can identify the geographic location of mobile subscribers in real time [..]. The system also allows the government client to see aggregated network traffic."

This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:

interseclab.org/wp-content/u...

*EVERY Page is worth reading*

Some interesting tidbits in the thread

Incredible work, Yael!

Plex was hacked. It included usernames, emails, and hashed passwords.

Change your passwords when you can,

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7

SentinelOne and Beazley Security have discovered a new Windows infostealer used in the wild named PXA Stealer, most likely the work of a Vietnamese-speaking cybercrime group.

www.sentinelone.com/labs/ghost-i...

labs.beazley.security/articles/gho...

I mean I’ve been urging people to toss their sonicwall devices into a shredder for years now 🤷🏻‍♂️

Our team collaborated with our friends at @sentinellabs.bsky.social to identify and disrupt a PXA infostealer campaign that has an intricate and complex delivery chain:

labs.beazley.security/articles/gho...

Thanks for the fantastic collab SentinelLabs team!